Add RealTek AmebaPro2 (RTL8735B) HUK crypto-callback port

.github/workflows/rtl8735b.yml

@@ -0,0 +1,86 @@
+name: RealTek RTL8735B (AmebaPro2) HUK port Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'release/**' ]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches: [ '*' ]
+  # Weekday-morning cron seeds the master-scoped ccache that PR runs restore
+  # read-only (see ccache-setup).
+  schedule:
+    - cron: '27 10 * * 1-5'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  # Host compile-test of the RTL8735B HUK crypto-callback port. --enable-rtl8735b
+  # sets WOLFSSL_RTL8735B_HOST_TEST, which swaps the vendor HAL headers for
+  # rtl8735b_shim.h (sentinel stubs, no real crypto). So this is a build-only
+  # test: it exercises the crypto-callback dispatch, info-struct field access,
+  # compile guards, and build wiring without the RealTek SDK. Functional crypto
+  # validation requires RTL8735B hardware (see the port README). Configs span
+  # the algo/guard combinations and both WOLFSSL_SMALL_STACK branches of the
+  # HW-ECDSA helpers; build via .github/scripts/parallel-make-check.py (see
+  # cryptocb-only.yml / os-check.yml for the full pattern), one out-of-tree
+  # build dir per config off a single checkout/autogen.
+  build:
+    name: build (--enable-rtl8735b)
+    if: ${{ (github.repository_owner == 'wolfssl') && (github.event_name != 'pull_request' || github.event.pull_request.draft == false) }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v5
+        name: Checkout wolfSSL
+
+      - name: Install dependencies
+        uses: ./.github/actions/install-apt-deps
+        with:
+          packages: autoconf automake libtool build-essential
+          ghcr-debs-tag: ubuntu-24.04-minimal
+
+      - name: Set up ccache
+        uses: ./.github/actions/ccache-setup
+        with:
+          workflow-id: rtl8735b
+          read-only: ${{ github.event_name == 'pull_request' }}
+          max-size: 100M
+
+      - name: Build all configs (compile-only, out-of-tree)
+        run: |
+          cat > "$RUNNER_TEMP/rtl8735b-configs.json" <<'EOF'
+          [
+          {"name": "full-smallstack", "minutes": 2,
+           "comment": "All port paths (AES-GCM/ECB/CBC/CTR, HMAC-SHA256, ECDSA P-256) with WOLFSSL_SMALL_STACK -> exercises the heap branch of the HW-ECDSA mp_int helpers.",
+           "configure": ["--enable-rtl8735b", "--enable-cryptocb", "--enable-ecc",
+            "--enable-aesgcm", "--enable-aesctr", "--enable-aescbc",
+            "CPPFLAGS=-DWOLFSSL_SMALL_STACK"]},
+          {"name": "full", "minutes": 2,
+           "comment": "Same algo coverage without WOLFSSL_SMALL_STACK -> exercises the on-stack (array) branch of the HW-ECDSA mp_int helpers.",
+           "configure": ["--enable-rtl8735b", "--enable-cryptocb", "--enable-ecc",
+            "--enable-aesgcm", "--enable-aesctr", "--enable-aescbc"]},
+          {"name": "min", "minutes": 2,
+           "comment": "Minimal: no ECC (HW/SW ECDSA sign code compiled out), AES + HMAC only -> exercises the non-ECC compile guards.",
+           "configure": ["--enable-rtl8735b", "--enable-cryptocb"]}
+          ]
+          EOF
+          .github/scripts/parallel-make-check.py --build-only \
+            "$RUNNER_TEMP/rtl8735b-configs.json"
+
+      - name: ccache stats
+        if: always()
+        run: ccache -s || true
+
+      - name: Upload logs on failure
+        if: failure()
+        uses: actions/upload-artifact@v6
+        with:
+          retention-days: 7
+          name: rtl8735b-logs
+          path: |
+            build-*/config.log
+          if-no-files-found: ignore

configure.ac

@@ -3212,6 +3212,25 @@ case "$ENABLED_STSAFE" in
 esac
 
 
+# RealTek AmebaPro2 (RTL8735B) HUK crypto-callback port.
+# On-target the application supplies the AmebaPro2 HAL include path. This option
+# is a host compile-test of the port: it swaps the HAL headers for a shim
+# (WOLFSSL_RTL8735B_HOST_TEST) so the cryptocb dispatch and wiring build without
+# the vendor SDK. It forces crypto callbacks on (see the cryptocb block).
+# Example: "./configure --enable-rtl8735b"
+ENABLED_RTL8735B="no"
+AC_ARG_ENABLE([rtl8735b],
+    [AS_HELP_STRING([--enable-rtl8735b],
+        [Enable RealTek AmebaPro2 (RTL8735B) HUK crypto-callback port (host compile-test).])],
+    [ ENABLED_RTL8735B=$enableval ],
+    [ ENABLED_RTL8735B=no ])
+
+if test "x$ENABLED_RTL8735B" != "xno"
+then
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RTL8735B_HUK -DWOLFSSL_RTL8735B_HOST_TEST -DHAVE_AES_ECB"
+fi
+
+
 # NXP SE050
 # Example: "./configure --with-se050=/home/pi/simw_top"
 ENABLED_SE050="no"
@@ -10680,7 +10699,7 @@ AC_ARG_ENABLE([cryptocb-sw-test],
     [ ENABLED_CRYPTOCB_SW_TEST=yes ]
     )
 
-if test "x$ENABLED_PKCS11" = "xyes" || test "x$ENABLED_WOLFTPM" = "xyes" || test "$ENABLED_CAAM" != "no"
+if test "x$ENABLED_PKCS11" = "xyes" || test "x$ENABLED_WOLFTPM" = "xyes" || test "$ENABLED_CAAM" != "no" || test "x$ENABLED_RTL8735B" != "xno"
 then
     ENABLED_CRYPTOCB=yes
 fi
@@ -12429,6 +12448,7 @@ AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"])
 AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"])
 AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"])
 AM_CONDITIONAL([BUILD_STSAFE],[test "x$ENABLED_STSAFE" != "xno"])
+AM_CONDITIONAL([BUILD_RTL8735B],[test "x$ENABLED_RTL8735B" != "xno"])
 AM_CONDITIONAL([BUILD_TROPIC01],[test "x$ENABLED_TROPIC01" = "xyes"])
 AM_CONDITIONAL([BUILD_KDF],[test "x$ENABLED_KDF" = "xyes"])
 AM_CONDITIONAL([BUILD_HMAC],[test "x$ENABLED_HMAC" = "xyes"])
@@ -13008,6 +13028,7 @@ echo "   * IoT-Safe:                   $ENABLED_IOTSAFE"
 echo "   * IoT-Safe HWRNG:             $ENABLED_IOTSAFE_HWRNG"
 echo "   * NXP SE050:                  $ENABLED_SE050"
 echo "   * STMicro STSAFE:             $ENABLED_STSAFE"
+echo "   * RealTek RTL8735B HUK:       $ENABLED_RTL8735B"
 echo "   * TROPIC01:                   $ENABLED_TROPIC01"
 echo "   * Maxim Integrated MAXQ10XX:  $ENABLED_MAXQ10XX"
 echo "   * PSA:                        $ENABLED_PSA"

wolfcrypt/src/include.am

@@ -105,6 +105,9 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \
               wolfcrypt/src/port/st/README.md \
               wolfcrypt/src/port/st/STM32MP13.md \
 			  wolfcrypt/src/port/st/STM32MP25.md \
+              wolfcrypt/src/port/realtek/rtl8735b.c \
+              wolfcrypt/src/port/realtek/rtl8735b_shim.h \
+              wolfcrypt/src/port/realtek/README.md \
               wolfcrypt/src/port/tropicsquare/tropic01.c \
               wolfcrypt/src/port/tropicsquare/README.md \
               wolfcrypt/src/port/af_alg/afalg_aes.c \
@@ -244,6 +247,10 @@ if BUILD_TROPIC01
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/tropicsquare/tropic01.c
 endif
 
+if BUILD_RTL8735B
+src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/realtek/rtl8735b.c
+endif
+
 if BUILD_PSA
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/psa/psa.c
 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/psa/psa_hash.c